about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorDavid Morgan <djm_uk@protonmail.com>2022-11-24 16:37:10 +0000
committerDavid Morgan <djm_uk@protonmail.com>2022-11-24 16:37:10 +0000
commitae42d530201accc7bccbba892f200e21d8607de0 (patch)
tree09cd24b7a154b6b081f4e4fd96ea58b37cd46a26
parentda3cff54f2be67d4ca64716959acf532a14e08a6 (diff)
downloaddotfiles-ae42d530201accc7bccbba892f200e21d8607de0.tar.gz
Add experimental sops setup sops
-rw-r--r--nix-conf/.sops.yaml7
-rw-r--r--nix-conf/home/includes/common.nix4
-rw-r--r--nix-conf/home/otm.nix10
-rw-r--r--nix-conf/secrets/home.json21
-rw-r--r--setup-home.sh3
5 files changed, 41 insertions, 4 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml
new file mode 100644
index 0000000..87069e7
--- /dev/null
+++ b/nix-conf/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv
+creation_rules:
+  - path_regex: secrets/[^/]+\.json$
+    key_groups:
+    - age:
+      - *admin_djm
diff --git a/nix-conf/home/includes/common.nix b/nix-conf/home/includes/common.nix
index 971aa7d..0adb529 100644
--- a/nix-conf/home/includes/common.nix
+++ b/nix-conf/home/includes/common.nix
@@ -2,9 +2,10 @@
 let
   hcr = pkgs.callPackage ./scripts/hm-changes-report.nix { inherit config pkgs; };
   scr = pkgs.callPackage ./scripts/system-changes-report.nix { inherit config pkgs; };
+  secrets = "${config.home.homeDirectory}/dotfiles/nix-conf/secrets/home.json";
+  email = builtins.exec [ "sops" "-d" "--extract" ''["email"]'' secrets ];
 in
 {
-
   imports = [
     ./zsh.nix
   ];
@@ -172,6 +173,7 @@ in
   programs.git = {
     enable = true;
     userName = "David Morgan";
+    userEmail = email;
     aliases = {
       # difftastic
       logt = "!sh -c 'GIT_EXTERNAL_DIFF=\"difft --background=dark\" git log -p --ext-diff'";
diff --git a/nix-conf/home/otm.nix b/nix-conf/home/otm.nix
index 667493c..9c7d3f6 100644
--- a/nix-conf/home/otm.nix
+++ b/nix-conf/home/otm.nix
@@ -1,4 +1,9 @@
 { config, lib, pkgs, ... }:
+let
+  secrets = "${config.home.homeDirectory}/dotfiles/nix-conf/secrets/home.json";
+  email = builtins.exec [ "sops" "-d" "--extract" ''["email"]'' secrets ];
+  otmEmail = builtins.exec [ "sops" "-d" "--extract" ''["otm_email"]'' secrets ];
+in
 {
   imports = [ 
     ./includes/darwin.nix
@@ -14,9 +19,10 @@
 
   programs.git = {
     signing.signByDefault = lib.mkForce false;
+    userEmail = lib.mkForce otmEmail;
     includes = [
-      { path = "~/.gitconfig-personal"; condition = "gitdir:~/src/personal/"; }
-      { contents = { commit.gpgSign = true; }; condition = "gitdir:~/src/personal/"; }
+      #{ path = "~/.gitconfig-personal"; condition = "gitdir:~/src/personal/"; }
+      { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/src/personal/"; }
     ];
     extraConfig = {
       github.user = "david-morgan-otm";
diff --git a/nix-conf/secrets/home.json b/nix-conf/secrets/home.json
new file mode 100644
index 0000000..0f5d159
--- /dev/null
+++ b/nix-conf/secrets/home.json
@@ -0,0 +1,21 @@
+{
+	"email": "ENC[AES256_GCM,data:JucGARLeoO/hyIMJ7lMkuBbOYwKEUOY=,iv:4BLS8UKliUMlaWiozcri/djggBusdKy7ndm6mAL+E40=,tag:/0qaF1ZN7rbxEF6c0doJlg==,type:str]",
+	"otm_email": "ENC[AES256_GCM,data:TtM2XS6qbZ7aJ/bDUWVmXtMLJ4X0BhVTahuIqrXf,iv:juQg3C7J/1rB70gO2JhaQn/LpNAd4sBxIB0X+HF9Wdg=,tag:FPkR1iFI+Xr+z124054Qvg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSREJ0d0ovTG1rNlc5UE1G\ncHRYQXRpVERpc1BRNkYrOE4wUUM3dythd2xJCjhxd1BNbFU3L1FKRlZ6T3Zkc0xp\nOWVGa01vaHU3OVgyNUNKMS8rTTJtd3cKLS0tIEVUbDgvSXNUem9RRks4bldTOTRN\nNUdMWlN5cVlGbUFzWjZMNDdUWStRZGMKcsIyTckmsm1Okuhve7Dyo+yYszKhlt4/\nFEjgvsGC7bffAlQKSWQnXjjXgXUYBipPTtsWJhuud0WW/HSVKoIQgw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2022-11-24T15:02:45Z",
+		"mac": "ENC[AES256_GCM,data:tQFuairIjOZR25cYW6iZrbEDZiwVqyp4zu5Dm5o83qY8jj4IXqrgzsIjdFjTfPBJzUhpX0JCRz4B/TKXEWX4C+2FL3b1qPQRzOG8zc+oBICmPQkLq9WNlcTzigEzKlcUVuO3wgi72CmSaLPFdiiGVj411v13XJHwmO/7gvRAVL8=,iv:pddUtAK5PdPEN8nx9ZucYQcDNxgGFpewaEWuK5KmBzc=,tag:M2N3daB0WKYQrN29bSl1/A==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file
diff --git a/setup-home.sh b/setup-home.sh
index 29c621d..a142021 100644
--- a/setup-home.sh
+++ b/setup-home.sh
@@ -14,7 +14,8 @@ ln -sf ~/dotfiles/.p10k.zsh ~/
 ln -sf ~/dotfiles/.emacs.d ~/
 
 mkdir ~/.config/nix
-echo "extra-experimental-features = nix-command flakes" > ~/.config/nix/nix.conf
+echo "extra-experimental-features = nix-command flakes
+allow-unsafe-native-code-during-evaluation = true" > ~/.config/nix/nix.conf
 
 home-manager switch